The fix for the problem of auditctl -D not working consists of two patches. One is the userspace patch and the other is for the kernel. Below is the kernel patch. I added AUDIT_DEL_ALL flag. Regards, Joy diff -urpN linux-2.6.orig/include/linux/audit.h linux-2.6.patch/include/linux/audit.h --- linux-2.6.orig/include/linux/audit.h 2006-04-28 15:01:38.000000000 -0500 +++ linux-2.6.patch/include/linux/audit.h 2006-04-28 16:10:06.000000000 -0500 @@ -63,6 +63,7 @@ #define AUDIT_ADD_RULE 1011 /* Add syscall filtering rule */ #define AUDIT_DEL_RULE 1012 /* Delete syscall filtering rule */ #define AUDIT_LIST_RULES 1013 /* List syscall filtering rules */ +#define AUDIT_DEL_ALL 1014 /* Delete all syscall filtering rules */ #define AUDIT_FIRST_USER_MSG 1100 /* Userspace messages mostly uninteresting to kernel */ #define AUDIT_USER_AVC 1107 /* We filter this differently */ diff -urpN linux-2.6.orig/kernel/audit.c linux-2.6.patch/kernel/audit.c --- linux-2.6.orig/kernel/audit.c 2006-04-28 15:01:37.000000000 -0500 +++ linux-2.6.patch/kernel/audit.c 2006-04-28 16:09:03.000000000 -0500 @@ -451,6 +451,7 @@ static int audit_netlink_ok(kernel_cap_t case AUDIT_ADD_RULE: case AUDIT_DEL: case AUDIT_DEL_RULE: + case AUDIT_DEL_ALL: case AUDIT_SIGNAL_INFO: if (!cap_raised(eff_cap, CAP_AUDIT_CONTROL)) err = -EPERM; @@ -604,6 +605,7 @@ static int audit_receive_msg(struct sk_b if (nlmsg_len(nlh) < sizeof(struct audit_rule_data)) return -EINVAL; /* fallthrough */ + case AUDIT_DEL_ALL: case AUDIT_LIST_RULES: err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid, uid, seq, data, nlmsg_len(nlh), diff -urpN linux-2.6.orig/kernel/auditfilter.c linux-2.6.patch/kernel/auditfilter.c --- linux-2.6.orig/kernel/auditfilter.c 2006-04-28 15:01:37.000000000 -0500 +++ linux-2.6.patch/kernel/auditfilter.c 2006-04-28 16:09:13.000000000 -0500 @@ -1063,6 +1063,21 @@ static inline int audit_del_rule(struct return -ENOENT; /* No matching rule */ } +/* Remove all rules from all filterlists. Protected by + * audit_netlink_mutex. */ +static void audit_del_all_rules(void) +{ + struct audit_entry *e, *e2; + int i; + + for (i=0; i<AUDIT_NR_FILTERS; i++) { + list_for_each_entry_safe(e, e2, &audit_filter_list[i], list) { + list_del_rcu(&e->list); + call_rcu(&e->rcu, audit_free_rule_rcu); + } + } +} + /* List rules using struct audit_rule. Exists for backward * compatibility with userspace. */ static void audit_list(int pid, int seq, struct sk_buff_head *q) @@ -1233,6 +1248,12 @@ int audit_receive_filter(int type, int p audit_free_rule(entry); break; + case AUDIT_DEL_ALL: + audit_del_all_rules(); + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, + "auid=%u remove all rules res=%d\n", + loginuid, !err); + break; default: return -EINVAL; } diff -urpN linux-2.6.orig/security/selinux/nlmsgtab.c linux-2.6.patch/security/selinux/nlmsgtab.c --- linux-2.6.orig/security/selinux/nlmsgtab.c 2006-04-28 15:02:20.000000000 -0500 +++ linux-2.6.patch/security/selinux/nlmsgtab.c 2006-04-28 16:08:23.000000000 -0500 @@ -109,6 +109,7 @@ static struct nlmsg_perm nlmsg_audit_per { AUDIT_LIST_RULES, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV }, { AUDIT_ADD_RULE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, { AUDIT_DEL_RULE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, + { AUDIT_DEL_ALL, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, { AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, { AUDIT_SIGNAL_INFO, NETLINK_AUDIT_SOCKET__NLMSG_READ }, };